Security risks of using eval() to execute user input in JavaScript

Question

I\'m planning on throwing together a quick web page for my students to teach them about JavaScript programming. On this page, I\'d like to give them a text box and allow the

Answer 1

If it's on a local "Throw-away" machine, then there is very little risk. Since everything is being run client-side, they can only harm themselves with JavaScript. Worst case they could be opening Ajax connections, but that's not much more harmful than giving them a Firefox with the Tamper Data add-on.

In short, there's very little risk (except performance-wise) of giving them free-reign with JavaScript except to the machine they are using, but it's still nothing they couldn't do themselves if crafty enough. I'd recommend either having them run it on their own machines, or on a demo box that you can re-image at any time when it gets too laden with crap to continue running.

Now, giving them eval access to PHP/etc on the other hand would be a horrible, terrible idea.